You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

A few days ago I downloaded a file from internet, and as soon as I opened it my Bitdefender AV detected some sort of virus, and it deleted it.But as soon as I restarted, I logged in and my desktop disapeared for no reason. When I try to run taskmgr it runs fine, and I can run anything from it, but when I try to run explorer.exe, it stays for a few seconds and disappears again.

Researching with procexp.exe and HJT I found that I have two strange .dlls in system32. One loads in winlogon and the other in lsaas.exe (I assumed this from the dll view for processes in procexp.exe

Here's my DSS log:

Deckard's System Scanner v20071014.68Run by Administrador on 2008-07-26 15:07:59Computer is in Normal Mode.--------------------------------------------------------------------------------

Running processes:C:\WINDOWS\system32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Crypserv.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Archivos de programa\Archivos comunes\BitDefender\BitDefender Communicator\xcommsvr.exeC:\Archivos de programa\Archivos comunes\BitDefender\BitDefender Update Service\livesrv.exeC:\Archivos de programa\BitDefender\BitDefender 2008\vsserv.exeC:\WINDOWS\system32\svchost.exeC:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exeC:\Archivos de programa\Elaborate Bytes\DVD Region Killer\RegKillTray.exeC:\Archivos de programa\QuickTime\qttask.exeC:\WINDOWS\soundman.exeC:\WINDOWS\system32\rundll32.exeC:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exeC:\WINDOWS\Vm_sti.exeC:\Archivos de programa\Unlocker\UnlockerAssistant.exeC:\WINDOWS\system32\ctfmon.exeC:\Archivos de programa\Java\jre1.6.0_01\bin\jucheck.exeC:\Documents and Settings\Administrador\Escritorio\dss.exe

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000""C:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger""C:\\Archivos de programa\\Windows Live\\Messenger\\livecall.exe"="C:\\Archivos de programa\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000""C:\\Archivos de programa\\utorrent\\utorrent.exe"="C:\\Archivos de programa\\utorrent\\utorrent.exe:*:Enabled:µTorrent""C:\\Archivos de programa\\utorrent\\utnt.exe"="C:\\Archivos de programa\\utorrent\\utnt.exe:*:Enabled:µTorrent""C:\\Archivos de programa\\Messenger\\msmsgs.exe"="C:\\Archivos de programa\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger""C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\system32\\dpnsvr.exe:*:Disabled:Microsoft DirectPlay8 Server""C:\\Archivos de programa\\Skype\\Phone\\Skype.exe"="C:\\Archivos de programa\\Skype\\Phone\\Skype.exe:*:Enabled:Skype""C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe:*:Enabled:PnkBstrA""C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe:*:Enabled:PnkBstrB""DEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~”ü"="DEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~”ü:*:Enabled:Nod32 Runtime""C:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger""C:\\Archivos de programa\\Windows Live\\Messenger\\livecall.exe"="C:\\Archivos de programa\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)""C:\\Archivos de programa\\Valve\\hl.exe"="C:\\Archivos de programa\\Valve\\hl.exe:*:Enabled:Half-Life Launcher""C:\\Archivos de programa\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="C:\\Archivos de programa\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe:*:Enabled:Crysis_32""C:\\Archivos de programa\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="C:\\Archivos de programa\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe:*:Enabled:CrysisDedicatedServer_32""C:\\Archivos de programa\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"="C:\\Archivos de programa\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe:*:Enabled:BattlefrontII"

Please respond, I know you are full with problems but i'm getting nuts...

Please be patience.. We are all volunteers and we do have our own real-life outside forum..

Please do the following...

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. DO NOT select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix (located in C:\combofix.txt) when you've accomplished that, along with a new HijackThis log.

Regardsfenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney StinsonIts gonna be legen.. wait for it.. dary!Cherish the pain, it means you're still alive

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney StinsonIts gonna be legen.. wait for it.. dary!Cherish the pain, it means you're still alive